Thanks to Keith for spending time on this article. I find it really interesting and hope to share with you.
Original article: Trend Micro Keith Lin, Security Analyst
Many experts published their analysis on the recent uproar resulted from MSN website redirect attack. There have always been attacks on internet protocol loopholes. Different from previous computer virus and worm, network attack targets loopholes in the internet protocol itself, and it became difficult for users to find the origin of the problem.
Network attacks can generally be classified into 3 main categories. Though signs of infection may appear to be very similar to a normal user, the working principles are actually different.
The first type of attack deceives the DNS. This type of attack originates from virus that changes the computer’s host files. After mutation, it changes the DNS query reply directly. Virus can change computer’s query reply locally, like WORM_DOWNAD.. They can also perform ARP spoofing attacks by creating false DHCP packets within a LAN environment, which can changes the user’s DNS server to an external rouge DNS server. Moreover, someone may alters the ISP’s DNS server contents directly (eg previously on China’s ISPs). The objective is the same, regardless of the attack is on the personal computer, local area network or even the ISP network – To change the DNS query contents, such that the users will be redirected to malicious website while browsing on the internet.
So how do we handle such network attacks? The simplest way is to make use of another network connection, to query on another ISP’s DNS or using online DNS lookup services to validate and compare for the correct IP address. In addition, you can check on the false IP directly to observe for any signs of suspicion.
The second type is known as man-in-the-middle (MITM) attack. ARP spoofing with Trojan infected website or direct attacks on cache’s last mile injection are all classified as MITM. These attacks are similar to webpage infection on the web server, by inserting malicious iframe tag into the page contents, leading the user to link to malware in the background. The difference is that they do not infect the computer itself, but rather alters the network packet contents by adding malicious iframe tag directly, making it even more challenging to guard against. It can be caused by a single infected machine within the LAN (often seen previously on ARP viruses), or can be caused by an infection at the xSP end (such as the previous Yam incident), or it can even infect the internet cache server (such as the MSN website incident last year). The distinctive trait of such an attack is that there are no altered codes on the website itself, but the end surfer will receive a webpage (usually at the top) with the malicious iframe tag inserted, while the rest of the contents of the webpage remained to be normal.
The third type is known as TCP hijacking attacks or IP Spoofing. This is the mastermind behind the recent attack on MSN website. What it does is to get ahead of the real reply packet from the server, and send out false packets. If the false packet is successful to be a step ahead, then by internet protocol, the real data packet will be treated as a repeated packet and be discarded. At the client’s end, he sees the reply coming from the real server’s IP, and not from a third party IP location (this is different from DNS spoofing attack). And there will be HTTP redirection instructions within the false packet to redirect the client to rouge websites.
Below are the packet details on this incident. You can see that the number 5 packet is the false packet and you can see that it contains <html>..<body>..<meta http-equiv="refresh" content="0;url=http://www.dachengkeji.com/article/index.htm">..</body>..</html> , directing the client end to rouge website.
Number 8 is the real packet sent by MSN website. You can see the Ack, Seg number and the false packet are the same, and is thus regarded as repeated packet.
Such an attack can also happen to LAN network or ISP network servers. However for such an attack, it is necessary to have Sniffer packets to follow the contents of the query packets sent from the client’s end in order to create the false reply packet. Hence it is only possible if there is capability to eavesdrop on the clients query packets. This is to say, such an attack will not be possible on a network where network broadcast is isolated.
The attack this time started from an experimental nature which only redirects the user to another website. It had then evolved to redirecting to a rouge website which downloads various malware in the background to the unsuspecting client, before redirecting back to the authentic website. This then became a malicious attack that is really hard to detect.
The characteristic of such attack is that the DNS remain unchanged, but the contents of the original webpage had been altered. As it is unlikely for a total take over for large websites, hence it is possible to identify if it is a TCP hijacking attack by analyzing the packet data. Meanwhile, since this type of attack must happen in the route path of the packet, therefore, it also provide us a clue to find the root cause.
No matter which type of attack it is, it is easy to receive false data via loopholes in the internet protocols. However, not all of them are able to maintain connectivity. Hence, hackers will need to redirect the browser to rouge websites before they are able to carry out the attacks.
Experience FREE trial to enhance your web threat protection capability here:
Trend Micro Internet Security Pro 2009
Comments